Surprise Ransomware Spreading Via TeamViewer

A fresh ransomware threat, dubbed “Surprise” (for presumably obvious reasons), has been discovered lurking in the popular TeamViewer support app this week.

TeamViewer is a cloud-based remote collaboration and sharing app used by 90%+ of Fortune 500s. According to figures from Netskope, a cloud security company that monitors app usage trends, it has exploded in popularity recently—with 1,792% growth in the past year within the fast growing Office 365 ecosystem.

The behavior of the ransomware is similar to Backoff, perhaps the notorious malware that was involved in the Target, Home Depot, Dairy Queen, and PF Chang breaches.

According to researchers, the Surprise ransomware developer was able to co-opt the credentials of a TeamViewer user, and then used those credentials to gain access to other TeamViewer users and download the malware file via TeamViewer. The malware appends a “.surprise” suffix to encrypted files.

The attack vector is similar to the instances of remote access and control apps, including LogMeIn and JoinMe, being used by hackers to gain access to corporate networks to install the infamous Backoff malware, which steals point-of-sale data. This method is especially useful in retail, restaurants, and other industries with highly distributed systems where branch networks depend heavily on centralized IT support models.

“Netskope has been advising our customers to find and understand all such apps that are accessing their remote branches, and put proper authentication and auditing technologies and procedures in place to prevent unauthorized access and be able to produce forensic audit trails in the case of a suspected breach,” said Netskope’s director of cloud security research, Ravi Balupari, in a blog. “TeamViewer and ransomware looks an awful lot like the Backoff distribution model, except instead of stealing PoS data, the ransomware developers are holding corporate data for ransom.”

Malware that spreads through the cloud also can become subject to a fan-out effect.

“The fan-out is what happens when malware travels via sync and share in cloud apps…where a ransomware victim would have his files encrypted, then those encrypted files synced to the cloud, then other users who were also synced to those same cloud folders had their files encrypted, and so on,” explained Balupari.

Because of the necessity of remote support apps in distributed businesses, this threat is especially insidious, he added, and businesses should take appropriate steps, as recommended by TeamViewer.